Closed Bug 1209001 Opened 9 years ago Closed 9 years ago

Crash [@ js::ModuleObject::create] with OOM

Categories

(Core :: JavaScript Engine, defect)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla44
Tracking Status
firefox43 --- affected
firefox44 --- fixed

People

(Reporter: decoder, Assigned: jonco)

References

(Blocks 1 open bug)

Details

(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:update,ignore])

Crash Data

Attachments

(1 file)

The following testcase crashes on mozilla-central revision 6256ec9113c1 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2):

function oomTest(f) {
    var i = 1;
    do {
        try {
            oomAtAllocation(i);
            f();
        } catch (e) {
            more = resetOOMFailure();
        }
        i++;
    } while(more);
}
function foo() {
  function testImportEntries(source, expected) {
    var module = parseModule(source);
  }
  testImportEntries('import v from "mod";', [{}]);
} oomTest(foo);



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
js::ModuleObject::create (cx=0x7ffff6907000) at js/src/jsobj.h:122
#0  js::ModuleObject::create (cx=0x7ffff6907000) at js/src/jsobj.h:122
#1  0x000000000062aa03 in BytecodeCompiler::compileModule (this=this@entry=0x7fffffffa7d0) at js/src/frontend/BytecodeCompiler.cpp:642
#2  0x000000000062b06d in js::frontend::CompileModule (cx=cx@entry=0x7ffff6907000, obj=..., obj@entry=..., optionsInput=..., srcBuf=...) at js/src/frontend/BytecodeCompiler.cpp:843
#3  0x00000000004867ca in ParseModule (cx=0x7ffff6907000, argc=<optimized out>, vp=0x7ffff47fc270) at js/src/shell/js.cpp:3100
#4  0x0000000000705f32 in js::CallJSNative (cx=0x7ffff6907000, native=0x4865a0 <ParseModule(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
#5  0x00000000006fb163 in js::Invoke (cx=cx@entry=0x7ffff6907000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:768
#6  0x00000000006ece29 in Interpret (cx=cx@entry=0x7ffff6907000, state=...) at js/src/vm/Interpreter.cpp:3072
#7  0x00000000006fa95b in js::RunScript (cx=cx@entry=0x7ffff6907000, state=...) at js/src/vm/Interpreter.cpp:709
#8  0x00000000006fb23f in js::Invoke (cx=cx@entry=0x7ffff6907000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:786
#9  0x00000000006fbdad in js::Invoke (cx=cx@entry=0x7ffff6907000, thisv=..., fval=..., argc=argc@entry=0, argv=argv@entry=0x7fffffffc818, rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:823
#10 0x00000000008cad6a in js::jit::DoCallFallback (cx=0x7ffff6907000, frame=0x7fffffffc858, stub_=<optimized out>, argc=<optimized out>, vp=0x7fffffffc808, res=...) at js/src/jit/BaselineIC.cpp:8904
#11 0x00007ffff7feef9f in ?? ()
#12 0x00007fffffffc810 in ?? ()
#13 0x00007fffffffc7c0 in ?? ()
#14 0xfff9000000000000 in ?? ()
#15 0x0000000001b5ad60 in js::jit::DoSpreadCallFallbackInfo ()
#16 0x00007ffff7e56b80 in ?? ()
#17 0x00007ffff7ff2383 in ?? ()
#18 0x0000000000000802 in ?? ()
#19 0x00007fffffffc858 in ?? ()
#20 0x00007ffff69cb620 in ?? ()
#21 0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x3ffffa3f65a8	70368647669160
rcx	0x0	0
rdx	0x0	0
rsi	0x0	0
rdi	0x0	0
rbp	0x7fffffffa320	140737488331552
rsp	0x7fffffffa2c0	140737488331456
r8	0x0	0
r9	0x3000	12288
r10	0x1b	27
r11	0x2	2
r12	0x7ffff6907000	140737330049024
r13	0x7fffffffa2d0	140737488331472
r14	0x1b52978	28649848
r15	0x7fffffffa7d0	140737488332752
rip	0x5b094c <js::ModuleObject::create(js::ExclusiveContext*)+444>
=> 0x5b094c <js::ModuleObject::create(js::ExclusiveContext*)+444>:	mov    (%rdi),%rax
   0x5b094f <js::ModuleObject::create(js::ExclusiveContext*)+447>:	mov    (%rax),%rax
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20150921063041" and the hash "a2bbfcdd5bf0403f00c02d1800efc74d920e7ec9".
The "bad" changeset has the timestamp "20150921063236" and the hash "ab53cb21bbbea9b7b1824633f4b34c42866e0985".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=a2bbfcdd5bf0403f00c02d1800efc74d920e7ec9&tochange=ab53cb21bbbea9b7b1824633f4b34c42866e0985
Assignee: nobody → jcoppeard
Attachment #8666764 - Flags: review?(terrence)
Attachment #8666764 - Flags: review?(terrence) → review+
Looking green when testing with the other patches I pushed today:

https://treeherder.mozilla.org/#/jobs?repo=try&revision=4b9cd2e10c67
Flags: needinfo?(jcoppeard)
The testcase sometimes fails on try, but I can't reproduce it locally.  It's not related to the content of the patch however, so I'm going to land the fix now and the testcase later when I can track down what's going on.
Flags: needinfo?(jcoppeard)
Keywords: leave-open
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 5f16c6c2b969).
Test case landed.
Keywords: leave-open
https://hg.mozilla.org/mozilla-central/rev/f79b353b2608
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla44
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: